fix: crash in operator console for missing fsGroup (#2211)
Bonus: Add support for "fsGroupChangePolicy" Bonus: keep only github actions in workflow folder
This commit is contained in:
Harshavardhana
GitHub
2
.github/workflows/jobs.yaml
vendored
2
.github/workflows/jobs.yaml
vendored
@@ -193,7 +193,7 @@ jobs:
|
||||
curl -sLO "https://dl.k8s.io/release/v1.23.1/bin/linux/amd64/kubectl" -o kubectl
|
||||
chmod +x kubectl
|
||||
mv kubectl /usr/local/bin
|
||||
"${GITHUB_WORKSPACE}/.github/workflows/deploy-tenant.sh"
|
||||
"${GITHUB_WORKSPACE}/tests/deploy-tenant.sh"
|
||||
echo "start ---> make test-operator-integration";
|
||||
make test-operator-integration;
|
||||
|
||||
|
||||
@@ -37,8 +37,10 @@ import (
|
||||
type SecurityContext struct {
|
||||
|
||||
// fs group
|
||||
// Required: true
|
||||
FsGroup *string `json:"fsGroup"`
|
||||
FsGroup string `json:"fsGroup,omitempty"`
|
||||
|
||||
// fs group change policy
|
||||
FsGroupChangePolicy string `json:"fsGroupChangePolicy,omitempty"`
|
||||
|
||||
// run as group
|
||||
// Required: true
|
||||
@@ -57,10 +59,6 @@ type SecurityContext struct {
|
||||
func (m *SecurityContext) Validate(formats strfmt.Registry) error {
|
||||
var res []error
|
||||
|
||||
if err := m.validateFsGroup(formats); err != nil {
|
||||
res = append(res, err)
|
||||
}
|
||||
|
||||
if err := m.validateRunAsGroup(formats); err != nil {
|
||||
res = append(res, err)
|
||||
}
|
||||
@@ -79,15 +77,6 @@ func (m *SecurityContext) Validate(formats strfmt.Registry) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (m *SecurityContext) validateFsGroup(formats strfmt.Registry) error {
|
||||
|
||||
if err := validate.Required("fsGroup", "body", m.FsGroup); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (m *SecurityContext) validateRunAsGroup(formats strfmt.Registry) error {
|
||||
|
||||
if err := validate.Required("runAsGroup", "body", m.RunAsGroup); err != nil {
|
||||
|
||||
@@ -4203,13 +4203,15 @@ func init() {
|
||||
"required": [
|
||||
"runAsUser",
|
||||
"runAsGroup",
|
||||
"runAsNonRoot",
|
||||
"fsGroup"
|
||||
"runAsNonRoot"
|
||||
],
|
||||
"properties": {
|
||||
"fsGroup": {
|
||||
"type": "string"
|
||||
},
|
||||
"fsGroupChangePolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"runAsGroup": {
|
||||
"type": "string"
|
||||
},
|
||||
@@ -9833,13 +9835,15 @@ func init() {
|
||||
"required": [
|
||||
"runAsUser",
|
||||
"runAsGroup",
|
||||
"runAsNonRoot",
|
||||
"fsGroup"
|
||||
"runAsNonRoot"
|
||||
],
|
||||
"properties": {
|
||||
"fsGroup": {
|
||||
"type": "string"
|
||||
},
|
||||
"fsGroupChangePolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"runAsGroup": {
|
||||
"type": "string"
|
||||
},
|
||||
|
||||
@@ -2762,15 +2762,28 @@ func parseTenantPool(pool *miniov2.Pool) *models.Pool {
|
||||
var securityContext models.SecurityContext
|
||||
|
||||
if pool.SecurityContext != nil {
|
||||
fsGroup := strconv.Itoa(int(*pool.SecurityContext.FSGroup))
|
||||
runAsGroup := strconv.Itoa(int(*pool.SecurityContext.RunAsGroup))
|
||||
runAsUser := strconv.Itoa(int(*pool.SecurityContext.RunAsUser))
|
||||
|
||||
var fsGroup string
|
||||
var runAsGroup string
|
||||
var runAsUser string
|
||||
var fsGroupChangePolicy string
|
||||
if pool.SecurityContext.FSGroup != nil {
|
||||
fsGroup = strconv.Itoa(int(*pool.SecurityContext.FSGroup))
|
||||
}
|
||||
if pool.SecurityContext.RunAsGroup != nil {
|
||||
runAsGroup = strconv.Itoa(int(*pool.SecurityContext.RunAsGroup))
|
||||
}
|
||||
if pool.SecurityContext.RunAsUser != nil {
|
||||
runAsUser = strconv.Itoa(int(*pool.SecurityContext.RunAsUser))
|
||||
}
|
||||
if pool.SecurityContext.FSGroupChangePolicy != nil {
|
||||
fsGroupChangePolicy = string(*pool.SecurityContext.FSGroupChangePolicy)
|
||||
}
|
||||
securityContext = models.SecurityContext{
|
||||
FsGroup: &fsGroup,
|
||||
RunAsGroup: &runAsGroup,
|
||||
RunAsNonRoot: pool.SecurityContext.RunAsNonRoot,
|
||||
RunAsUser: &runAsUser,
|
||||
FsGroup: fsGroup,
|
||||
RunAsGroup: &runAsGroup,
|
||||
RunAsNonRoot: pool.SecurityContext.RunAsNonRoot,
|
||||
RunAsUser: &runAsUser,
|
||||
FsGroupChangePolicy: fsGroupChangePolicy,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -50,32 +50,32 @@ func convertModelSCToK8sSC(sc *models.SecurityContext) (*corev1.PodSecurityConte
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
RunAsGroup, err := strconv.ParseInt(*sc.RunAsGroup, 10, 64)
|
||||
runAsGroup, err := strconv.ParseInt(*sc.RunAsGroup, 10, 64)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
FsGroup, err := strconv.ParseInt(*sc.FsGroup, 10, 64)
|
||||
fsGroup, err := strconv.ParseInt(sc.FsGroup, 10, 64)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &corev1.PodSecurityContext{
|
||||
RunAsUser: &runAsUser,
|
||||
RunAsGroup: &RunAsGroup,
|
||||
RunAsGroup: &runAsGroup,
|
||||
RunAsNonRoot: sc.RunAsNonRoot,
|
||||
FSGroup: &FsGroup,
|
||||
FSGroup: &fsGroup,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// convertK8sSCToModelSC validates and converts from corev1.PodSecurityContext to models.SecurityContext
|
||||
func convertK8sSCToModelSC(sc *corev1.PodSecurityContext) *models.SecurityContext {
|
||||
runAsUser := strconv.FormatInt(*sc.RunAsUser, 10)
|
||||
RunAsGroup := strconv.FormatInt(*sc.RunAsGroup, 10)
|
||||
FsGroup := strconv.FormatInt(*sc.FSGroup, 10)
|
||||
runAsGroup := strconv.FormatInt(*sc.RunAsGroup, 10)
|
||||
fsGroup := strconv.FormatInt(*sc.FSGroup, 10)
|
||||
return &models.SecurityContext{
|
||||
RunAsUser: &runAsUser,
|
||||
RunAsGroup: &RunAsGroup,
|
||||
RunAsGroup: &runAsGroup,
|
||||
RunAsNonRoot: sc.RunAsNonRoot,
|
||||
FsGroup: &FsGroup,
|
||||
FsGroup: fsGroup,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -3457,7 +3457,6 @@ definitions:
|
||||
- runAsUser
|
||||
- runAsGroup
|
||||
- runAsNonRoot
|
||||
- fsGroup
|
||||
properties:
|
||||
runAsUser:
|
||||
type: string
|
||||
@@ -3467,6 +3466,8 @@ definitions:
|
||||
type: boolean
|
||||
fsGroup:
|
||||
type: string
|
||||
fsGroupChangePolicy:
|
||||
type: string
|
||||
|
||||
allocatableResourcesResponse:
|
||||
type: object
|
||||
|
||||
@@ -41,7 +41,7 @@ function install_operator() {
|
||||
echo "Installing Current Operator"
|
||||
|
||||
# TODO: Compile the current branch and create an overlay to use that image version
|
||||
try kubectl apply -k "${SCRIPT_DIR}/../../portal-ui/tests/scripts/resources"
|
||||
try kubectl apply -k "${SCRIPT_DIR}/../portal-ui/tests/scripts/resources"
|
||||
|
||||
echo "Waiting for k8s api"
|
||||
sleep 10
|
||||
@@ -91,4 +91,4 @@ function check_tenant_status() {
|
||||
kubectl run admin-mc -i --tty --image minio/mc --command -- bash -c "until (mc alias set minio/ https://minio.$1.svc.cluster.local $USER $PASSWORD); do echo \"...waiting... for 5secs\" && sleep 5; done; mc admin info minio/;"
|
||||
|
||||
echo "Done."
|
||||
}
|
||||
}
|
||||
@@ -24,8 +24,8 @@ function install_tenants() {
|
||||
echo "Installing tenants"
|
||||
|
||||
# Install lite & kes tenants
|
||||
try kubectl apply -k "${SCRIPT_DIR}/../../portal-ui/tests/scripts/tenant-lite"
|
||||
try kubectl apply -k "${SCRIPT_DIR}/../../portal-ui/tests/scripts/tenant-kes-encryption"
|
||||
try kubectl apply -k "${SCRIPT_DIR}/../portal-ui/tests/scripts/tenant-lite"
|
||||
try kubectl apply -k "${SCRIPT_DIR}/../portal-ui/tests/scripts/tenant-kes-encryption"
|
||||
|
||||
echo "Waiting for the tenant statefulset, this indicates the tenant is being fulfilled"
|
||||
waitdone=0
|
||||
Reference in New Issue
Block a user